On Wednesday the U.S. Department of Health and Human Services, in consultation with the Federal Trade Commission, issued new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, to notify people when the confidentiality of private health information had been violated.
The "breach notification" regulations are part of the stimulus act, according to a press release issued by Health and Human Services.
The regulations, developed by the Health and Human Services Office for Civil Rights, require health-care providers and other HIPAA-covered entities to promptly notify impacted individuals of a breach, as well as the government and the media in cases where a breach affects more than 500 individuals.
Breaches affecting smaller numbers must be to the government yearly.
The rule also applies to vendors of personal health records, as well -- online system locations where consumers collect and store their medical records in a single spot. Microsoft HealthVault and Google Health both offer such services.
"This new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the Office of Civil rights.
"These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."
To determine when information is "unsecured" and notification is required by the HHS and FTC rules, the government is also requiring health documents be encrypted and destroyed so as to make confidential information unusable, unreadable, or indecipherable to those without authorized access.
The regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. For more information go to www.hhs.gov/ocr/privacy.